helm/infrastructure/subcharts/prometheus/templates/server-podsecuritypolicy.yaml

   1 {{- if .Values.rbac.create }}
   2 {{- if .Values.podSecurityPolicy.enabled }}
   3 apiVersion: {{ template "prometheus.podSecurityPolicy.apiVersion" . }}
   4 kind: PodSecurityPolicy
   5 metadata:
   6   name: {{ template "prometheus.server.fullname" . }}
   7   labels:
   8     {{- include "prometheus.server.labels" . | nindent 4 }}
   9   annotations:
  10 {{- if .Values.server.podSecurityPolicy.annotations }}
  11 {{ toYaml .Values.server.podSecurityPolicy.annotations | indent 4 }}
  12 {{- end }}
  13 spec:
  14   privileged: false
  15   allowPrivilegeEscalation: false
  16   allowedCapabilities:
  17     - 'CHOWN'
  18   volumes:
  19     - 'configMap'
  20     - 'persistentVolumeClaim'
  21     - 'emptyDir'
  22     - 'secret'
  23     - 'hostPath'
  24   allowedHostPaths:
  25     - pathPrefix: /etc
  26       readOnly: true
  27     - pathPrefix: {{ .Values.server.persistentVolume.mountPath }}
  28   {{- range .Values.server.extraHostPathMounts }}
  29     - pathPrefix: {{ .hostPath }}
  30       readOnly: {{ .readOnly }}
  31   {{- end }}
  32   hostNetwork: false
  33   hostPID: false
  34   hostIPC: false
  35   runAsUser:
  36     rule: 'RunAsAny'
  37   seLinux:
  38     rule: 'RunAsAny'
  39   supplementalGroups:
  40     rule: 'MustRunAs'
  41     ranges:
  42       # Forbid adding the root group.
  43       - min: 1
  44         max: 65535
  45   fsGroup:
  46     rule: 'MustRunAs'
  47     ranges:
  48       # Forbid adding the root group.
  49       - min: 1
  50         max: 65535
  51   readOnlyRootFilesystem: false
  52 {{- end }}
  53 {{- end }}